Skip to main content
Housing & Construction Authority Frontpage
Housing & Construction Authority Frontpage

Housing & Construction Authority

Data protection policy

Personal protectoion policy HMS
PDF

Policy objectives

The Housing and Human Resources Administration (hereinafter "HMS" or "the Agency") processes a wide variety of personal data, in particular on those who provide services to the organisation and its staff (here one name is "the registered").

The aim of this policy is to provide the public, but in particular the data subjects, with information on the processing of personal data carried out by HMS, mainly what personal data are processed and where they are obtained, for what purpose and with what authorisation, where the data may be shared and for how long they will be stored. The policy specifies what rights the data subjects have regarding the processing and where they can direct complaints about it. Finally, the identity of the controller of the processing and the Data Protection Officer of the Authority are revealed.

The provision of this information is intended to give the data subjects an overview of the processing of their personal data at HMS and to enable them to exercise their rights related to the processing, in addition to fulfilling the educational obligations of HMS towards data subjects, who are in the institution according to the laws on data protection and processing of personal data (pvl.) , now Act No. 90/2018.

HMS tasks and authorisations for the processing of personal data

The HMS is governed by the Housing and Construction Authority Act, No 137/2019. The agency was established by the Act and took over the role and tasks of the Infrastructure Agency and part of the Housing Financing Fund, among other things. HMS took over various projects from the Consumer Agency and the National Registry in 2021-22, cf. Amendments Nos. 18/2021 and 36/2022.

The HMS projects are governed by the Construction Act, the Housing Act, the Public Housing Act, the Housing Benefit Act, the Construction Products Act, the Fire Safety Act, the Timber and Timber Products Act, the Fire and Wildfire Act, the Electrical Power Plants Safety Act, Consumer Utilities and Electrical Equipment Act, the Chemical Act, the Ecodesign Act for Products Relating to Energy Consumption, the Act on Labelling and Information Requirements relating to the Use of Energy, the Product Safety Act, the Public Sector Product and Market Surveillance Act, the Measurement, Measurement Bases and Weighing Workers Act, the Registration and Evaluation Act, the Rent Act and other laws as applicable, cf. Article 3 of the Authority Act.

  • HMS primarily processes personal data in order to enable the agency to fulfil its statutory functions, and therefore the authorisations for almost all such processing are to be found in the provisions of the aforementioned Act.

  • HMS may also be required to process personal data in order to fulfil a contract with the data subject or at the request of the data subject prior to the conclusion of a contract with the organisation.

  • HMS is careful to obtain approval in a satisfactory manner when information on this basis is requested.

Of the tasks assigned to HMS in the above Act, the Council will decide which personal data the Administration is entrusted with and to what extent. This includes, in particular, personal data:

  • on those who apply for services to the Centre and submit various types of applications, complaints, appeals or other communications to the Agency

  • on the individuals to whom such a request relates, and

  • on the representatives or contact points of legal entities concerned by the communication.

In addition, it is necessary for the Authority to process personal data of natural or legal persons represented in matters which relate to matters taken up by the Authority on its own initiative or by other administrative authorities. In addition to the Act entrusting HMS with certain tasks, the Administrative Procedures Act, such as the Administrative Procedures Act, the Information Act and the Public Archives Act, imposes obligations on the Administration to process personal data in order to meet the requirements of the Administration in the course of its administrative procedures.

In order to fulfil its role, HMS relies on the Institute's staff and board. HMS is subject to various obligations relating to this human resource, particularly concerning living conditions, wages, terms of service and other rights. These duties are mainly to be found in the Act on the Rights and Obligations of Government Employees, the Act on Working Environment, Health and Safety in the Workplace, the Act on Income Tax, the Act on Municipal Revenues, the Act on Payment of Public Duties at Source, the Act on Leave, the Act on Maternity and Parental Leave and the Act on Equal Status and Equal Rights of Women and Men. It is an important task of the Agency to fulfil those responsibilities in all respects and to this end it is necessary to work with a wide range of personal data.

Processing of personal data at HMS

Those who apply to the Institute

HMS must process personal data on those who submit a communication to the Authority for the purpose of ensuring correct identification of the persons concerned, verify the rights or obligations of those to whom the communication relates, comply with the rules of investigation and other administrative procedures, and preserve sufficient information on the handling of the case in question to meet the legal obligations of the Authority, such as under the Public Archiving Act.

  • HMS therefore gathers personal information on petitioners, mainly from themselves, in particular on their names, ID numbers, connections with the relevant case and circumstances, as well as contact information.

  • The agency may also gather additional information from its own records or elsewhere for the above-mentioned purpose, such as other related matters or incidents.

  • Finally, HMS works with the personal data in question in order to arrive at a conclusion which is then generally disclosed to the data subject and, as the case may be, to other parties concerned.

In the case of an optional communication to the Agency, the data subject is not obliged to provide the personal data requested, but the failure to provide such data generally results in the failure to process the communication.

Those concerned by the Agency

The communications sought by HMS may contain personal data on individuals other than petitioners, such as counterparties or owners of other rights involved. The Authority processes such personal data for the purpose of ensuring the proper handling of the case in question, ascertaining that the Authority has fully fulfilled its legal obligations, such as regarding the right of objection, other matters relating to the investigation of the case in question and the above-mentioned obligations under the Public Archives Act. For this reason, the Administration may obtain additional information, e.g. from public records or from the registered entity itself, as above.

Those who appear in initiatives or cases from other government authorities

When the HMS opens a case on its own initiative or after having received cases from other authorities, it is obliged to process personal data relating to the persons affected for the purpose of informing the case, taking care of the rights of the person concerned to oppose the case and to fulfil other requirements made of the procedure, including the handling of the information after the case.

Staff and applicants for jobs

It is important for HMS to obtain and maintain correct information on its personnel in order to properly fulfil its obligations to them.

  • In addition to general public information, it contains, in particular, information on terms of employment and wages and matters affecting them, such as employment rights, education and seniority.

  • HMS is also required to work with information on attendance, holidays and absence, e.g. due to illness.

  • The directorate also works with information on wages and withholding of public levies to fulfil its obligations in this field.

Provision of personal data to other controllers and processors

HMS is a government-owned organisation that disseminates the personal data it manages to two types of recipients.

  • On the one hand, to other controllers, either independently or jointly with HMS, on the basis of a legal obligation, such as to the registered themselves, other government agencies, the media or the public on the basis of the Administrative Procedures Act, the Information Protection Act, the Data Protection Act or other laws.

  • On the other hand, the Authority communicates personal data to the processor, whom it assigns on the basis of a processing agreement to carry out some of the processing for which it is responsible.

HMS stores and processes all personal data within the European Economic Area. All processors of the institution operate within this region.

Automated decision making, including personal profile preparation

Automated decision-making, including personal profile modelling, is not carried out at HMS.

Personal data storage period

HMS is a party required to deliver items in accordance with the provisions of the Public Archives Act. This means that the Agency may not delete documents from its archives without the grisly authorisation of the National Archivist. In general, the documents of a party required to submit a request shall be kept by the party for at least 30 years in accordance with the applicable law, and the documents shall be delivered to the National Archives. Deposits of each archiving period are also sent to the National Archives periodically. More detailed preservation of data is laid down in the HMS storage and gauze-cutting programme. HMS shall as a result always preserve the personal data processed by the Administration and may not grant requests from the data subjects for their deletion.

Rights of the registered

The registered persons have many different rights, which it is important that they know about:

  • The data subject shall have an equal right to request access to and copy of his/her personal data at HMS and to have it record corrections to them if they are incorrect or misleading.

  • However, due to the aforementioned obligation to submit documents to the National Archives, the data subjects are not normally entitled to have their personal data processed by HMS deleted. These rights and limitations of data are further described in the laws on data protection, cf. now Articles 17 and 20 of pvl.

  • Furthermore, the data subjects listed in the latter Article of Law are entitled to transfer their own data or to have their personal data processed limited, provided further specified conditions are met. Finally, the registered persons have the right to oppose the processing under Article 21 of the Act.

  • The registered persons have the right to file a complaint with the Data Protection Authority regarding the processing. The Office of the Data Protection Authority is located at Rauðarárstígur 10, 105 Reykjavík and its email address is postur@personuvernd.is.

Information security

HMS uses a documented information security management system to ensure the protection of personal data in accordance with the rules on personal data security, No. 299/2001. The Information Security System covers all major key systems of the Agency. HMS has thus established an information security policy, carried out a risk assessment and introduced appropriate security measures to ensure the security of the processing of personal data at the agency. HMS has also obtained certification of its information security management system in accordance with the ÍST ISO/IEC 27001 Information Technology - Security Technology - Information Management Systems - Requirements.

Responsible party for processing personal data at HMS

HMS is the controller of the processing of personal data carried out by and on behalf of the Authority. The directorate can be contacted by e-mail at the e-mail address, hms@hms.is or by letter at the HMS facilities, whether it be Borgartún 21, 105 Reykjavík, Ártorgi 1, 550 Sauðárkrókur or Hafnarstræti 107, 600 Akureyri.

HMS Privacy Officer

HMS has appointed a Data Protection Officer in accordance with its responsibilities as an authority, cf. Article 35 of the Data Protection Act. You can contact the Data Protection Officer of the Administration in an e-mail at e-mail at persona@hms.is and by letter to the address of the Data Protection Officer of HMS, Housing and Human Resources, Borgartún 21, 105 Reykjavík.

Validity and review

This Data Protection Policy was approved by the HMS Board on 22 December 2022 and will be reviewed within two years. It is published on the Institute's website. The policy was changed at a meeting of the HMS board on 28 September 2023.